This forum is now a read-only archive. All commenting, posting, registration services have been turned off. Those needing community support and/or wanting to ask questions should refer to the Tag/Forum map, and to http://spring.io/questions for a curated list of stackoverflow tags that Pivotal engineers, and the community, monitor.

ACEGI 0.8.2 + CAS 3.0: Global logout and user refresh

Being authenticaed in webapp A, I open a browser on webapp B -> I am authenticated. Fine.

Then I logout in webapp A. I then I try to access a protected page on webapp A => I am still authenticated !!!

Reason found: When I logout, CAS destroys th TGC. Fine. But the ticket is still in the CasAuthenticationProvider's statelessTicketCache. As a consequence, the CasAuthentication never detects the user logged out.

Here is the code of the CasAuthenticationProvider that leads me to say that:

The behaviour you are observing is expected in CAS 2. If you logout of the CAS server, it has no way of notifying already running applications of your logout. Please check the CAS mailing lists for further information, eg http://tp.its.yale.edu/pipermail/cas...ry/001010.html.